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Claims 

[ci] A method of sharing a state between stateful firewalls on 
a Multiple Entry/Exit Point (MEP) network for data ex- 
change between a server and a client through firewalls 
physically remote from each other, comprising the steps 
of: 

(a) one of the firewalls receiving an SYN packet sent from 
the client to the server; 

(b) the firewall creating a modified SYN cookie 
(hereinafter referred to as an m.SYN cookie), modifying 
the SYN packet using the m.SYN cookie and sending the 
SYN packet to the server, and the server sending a SYN/ 
ACK packet to the client in response to the SYN packet; 

(c) the firewall, which has received the SYN/ACK packet, 
extracting a firewall identifier ID from the SYN/ACK 
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packet and sending the SYN/ACK packet to a corre- 
sponding one of the firewalls, the corresponding firewall 
searching a state table for connection information and 
sending the connection information, together with the 
SYN/ACK packet, to the firewall, which has received the 
SYN/ACK packet; and 

(d) the firewall, which has re-received the SYN/ACK 
packet, updating the state table, changing an acknowl- 



edgement number of the SYN/ACK packet to an Initial 
Sequence Number (ISN ) + 1, and sending the SYN/ACK 
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packet to the client. 

[c2] The method as set forth in claim 1, wherein the firewalls 
share a synchronized time counter, which is increased at 
regular intervals, and a same secret key. 

[c3] The method as set forth in claim 1, wherein the state ta- 
ble includes a difference between the ISN and the m.SYN 
cookie, and connection information, including a source 
address, a destination address, a protocol, a source port 
and a destination port number of the packet. 

[c4] The method as set forth in claim 1, where step (a) further 
comprises the step of: 

the firewall, which has received the SYN packet, inspect- 
ing the SYN packet according to a preset firewall rule, 
and performing step (b) if a current connection is a per- 
mitted connection, or discarding the SYN packet if the 
current connection is not the permitted connection. 

[c5] The method as set forth in claim 2, wherein the m.SYN 
cookie includes upper bits of the ISN of the SYN packet, 
bits of time indicated by the time counter of the firewall, 
which creates the m.SYN cookie, at a time of creation of 
the m.SYN cookie, and bits of an output value of a hash 



function. 

[c6] The method as set forth in claim 2, wherein the m.SYN 
cool<ie includes ISN , T and Hash + ID , ISN being 
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determined by upper 17 bits of the ISN of the SYN 
packet, being determined by least significant two bits 
of time indicated by the time counter of the firewall, 
which creates the m.SYN cookie, at the time of creation 
of the m.SYN cookie, Hash^^ being determined by the 
following Equation: 

Hash = Hash(k, sa, sp, da, dp, time , ISN 
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where HashQ is an output value of a hash function, k is a 
secret key, sa is a source address, sp is a source port 
number, da is a destination address, dp is a destination 
port number, ISN^>>15 is a value obtained by eliminat- 
ing lower 15 bits from ISN , HashQ % 2^13 is a value of 
lower 13 bits of the output value of the hash function, 
time is time indicated by the time counter of the fire- 
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wall, which creates the m.SYN cookie, at the time of cre- 
ation of the m.SYN cookie 

[c7] The method as set forth in claim 1, wherein step (b) is 
performed in such a way that the ISN of the SYN packet 
is replaced with the created m.SYN cookie, and the con- 
nection information including the difference between the 
ISN and the m.SYN cookie is stored in the state table of 



the firewall. 



[c8] The method as set forth in claim 1, wherein step (c) fur- 
ther comprises the steps of: 
(cl) extracting the ID^ from the SYN/ACK packet; 
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(c2) verifying whether the extracted ID is valid; 
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(c3) comparing the ID , which is verified to be valid at 
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step (c2), with an ID of the firewall, which has received 
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the SYN/ACK packet; and 

(c4) if, as a result of the comparison at step (c3), the two 
ID s are identical with each other, searching the state 
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table of the firewall that has received the SYN/ACK 
packet and modifying the state table and the SYN/ACK 
packet, or if the ID s are different from each other, 
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sending the SYN/ACK packet to the firewall correspond- 
ing to the extracted ID . 

[c9] The method as set forth in claim 8, wherein step (cl) is 
performed in such a way that the m.SYN cookie included 
in the SYN/ACK packet is extracted, and the ID is ex- 
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tracted from the m.SYN cookie using the following equa- 
tions. 

ID = (SC - Hash(k, sa, sp, da, dp, time , SC>>15))% 
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where SC is the m.SYN cookie included in the SYN/ACK 
packet, HashO is an output value of a hash function, k is 
a secret key, sa is a source address, sp is a source port 



number, da is a destination address, dp is a destination 
port number, time is time obtained using the follow- 
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ing Equation, SC>>15 is a value obtained by eliminating 
lower 15 bits from the SC, and () % 2^13 is a value of 
lower 13 bits of the value of () 
time = time + 1 ((time + 1 - T ) mod4) 
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where time is the time indicated by the time counter 
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of the firewall, which verifies the extracted m.SYN 

cookie, at the time of verification of the extracted m.SYN 

cookie, and T is the least significant two bits of time in- 
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dicated by the time counter of the firewall, which creates 
the m.SYN cookie, at the time of creation of the m.SYN 
cookie. 

[ciO] The method as set forth in claim 8, wherein step (c2) is 
performed in such a way as to compare the extracted ID 
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with a preset maximum ID , and if the extracted ID is 

fw fw 

not larger than the preset maximum ID^, verifying the 
extracted ID to be valid, or if the extracted ID is 
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larger than the preset maximum ID , verifying the ex- 
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tracted ID to be invalid. 
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